- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is it possible to re-index lost AD logs?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good Day fellow splunkers,
I just like to ask if is it still possible to re-index lost Windows Active Directory logs? Let's say, AD logs from a month a go. The reason why the logs lost is probably because of network issue. Please check my inputs.conf below.
[admon://default]
disabled = 0
monitorSubtree = 1
index = ad
Cheers,
Dan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, the answer depends on what you mean by "lost", and what you mean by "reindex".
If the log never got to splunk, but a copy is somewhere else that you can access, then YES. (search "manual load data")
If the log never got to splunk, and is not somewhere else that you can access, then NO.
If the log got to splunk, was indexed or went to the null queue, and the incoming log file was sent to oblivion and was not backed up, then NO. You got what you got.
If the log got to splunk, was indexed correctly or incorrectly, and the system is set up to move ingested files to a backup location, then YES. (Search for "reindex data")
If the log got to splunk, was indexed correctly, then got frozen and rolled off and you want it loaded back in, then YES. (Search for "reload frozen")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, the answer depends on what you mean by "lost", and what you mean by "reindex".
If the log never got to splunk, but a copy is somewhere else that you can access, then YES. (search "manual load data")
If the log never got to splunk, and is not somewhere else that you can access, then NO.
If the log got to splunk, was indexed or went to the null queue, and the incoming log file was sent to oblivion and was not backed up, then NO. You got what you got.
If the log got to splunk, was indexed correctly or incorrectly, and the system is set up to move ingested files to a backup location, then YES. (Search for "reindex data")
If the log got to splunk, was indexed correctly, then got frozen and rolled off and you want it loaded back in, then YES. (Search for "reload frozen")
Advanced Splunk Data Management Strategies
Uncovering Multi-Account Fraud with Splunk Banking Analytics
Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...
